Security Bulletin: IBM i is affected by several vulnerabilities (CVE-2016-2183 and CVE-2016-6329)

Security Bulletin

Summary

IBM i is vulnerable to several security vulnerabilities. IBM i has addressed these vulnerabilities.

Vulnerability Details

CVEID:CVE-2016-2183DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2016-6329DESCRIPTION: OpenVPN could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116341 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Releases 6.1, 7.1, 7.2 and 7.3 of IBM i are affected.

Remediation/Fixes

The issue can be fixed for some applications by applying PTF’s to IBM i. For the remaining applications, follow the steps in the Workarounds and Mitigations section.

Releases 6.1, 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed.

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the Triple DES (3DES) cipher or algorithm will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the 3DES cipher or algorithm and take appropriate mitigation and remediation actions. If 3DES must be used, ensure less than 32GB of data is sent or received using the same symmetric key. To accomplish this, end the secure connection and create a new connection or force a re-key operation prior to crossing the 32GB threshold.

Mitigation instructions for IBM i:

There are at least four different TLS implementations used on IBM i.

- IBM i System SSL/TLS
- OpenSSL in PASE
- IBMJSSE2 – The default Java JSSE implementation
- Domino – contains an embedded SSL implementation. Also uses System SSL/TLS in some configurations.
- Other – Any 3rd party application could include an internal TLS implementation

IBM i System SSL/TLS

IBM i System SSL/TLS is a set of generic services provided in the IBM i Licensed Internal Code (LIC) to protect TCP/IP communications using the SSL/TLS protocol.

System SSL/TLS is accessible to application developers from the following programming interfaces and JSSE implementation:

- Global Security Kit (GSKit) APIs
- Integrated IBM i SSL_ APIs

- Integrated IBM i JSSE implementation (IBMi5OSJSSEProvider)

TLS applications created by IBM, IBM business partners, independent software vendors (ISV), or customers that use one of the three System SSL/TLS interfaces listed above will use System SSL/TLS. For example, FTP and Telnet are IBM applications that use System SSL/TLS. Not all TLS enabled applications running on IBM i use System SSL/TLS.

System SSL/TLS supports and uses by default up to three 3DES cipher suites based on release level.

The application developer determines which cipher suites/algorithms are supported by the application when it is designed.
- Some applications expose the cipher suite configuration to the end user. For those applications 3DES can be disabled through that application specific configuration.
- Many applications do not provide a configuration option for controlling the cipher suites. It is difficult to determine if these applications support 3DES.
- Many applications use the System SSL/TLS default cipher suites such as FTP and Telnet.

After loading the System SSL/TLS fixes listed in this bulletin, applications coded to use the default values will no longer negotiate the use of 3DES cipher suites with peers.

If 3DES support is required by peers of such an application after this PTF is applied, the values can be added back to the System SSL/TLS eligible default cipher suite list using System Service Tools (SST) Advanced Analysis Command SSLCONFIG. To change the System SSL/TLS settings with the Start System Service Tools (STRSST) command, follow these steps:

This will show the help screen that describes the input strings to change the new System SSL/TLS setting for –eligibleDefaultCipherSuites.

System SSL/TLS’s support of 3DES can be completely disabled at the system level using the system value QSSLCSL. In this case, 3DES is disabled for all applications including those with user configuration available for cipher suites.

How to change the QSSLCSL system value:

From a 5250 command line:

WRKSYSVAL SYSVAL(QSSLCSLCTL)

 Enter 5 to display QSSLCSLCTL: This will display one of two things:
 *OPSYS: Which indicates QSSLCSL is controlled by the OS.
 *USRDFN: Which indicates QSSLCSL is editable and controlled by the user.
 If current value is *OPSYS; Enter 2 to edit QSSLCSLCTL: *OPSYS is the default value. Change the value to *USRDFN.

WRKSYSVAL SYSVAL(QSSLCSL)

 Enter 5 to display QSSLCSL: This will display the current ordered list of cipher suites.
 If a cipher suite is in the list that contains the 3DES keyword; Enter 2 to edit QSSLCSL:

*RSA_AES_128_CBC_SHA256 (requires TR6 or later is installed and *TLSv1.2)
*RSA_AES_128_CBC_SHA
*RSA_AES_256_CBC_SHA256 (requires TR6 or later is installed and *TLSv1.2)
*RSA_AES_256_CBC_SHA

R611 / R610

*RSA_AES_128_CBC_SHA
*RSA_AES_256_CBC_SHA

Application configuration through Digital Certificate Manager (DCM)

7.1 TR6, 7.2 and 7.3 have DCM options for controlling the cipher suites used for specific applications such as Telnet and FTP. Applications with a DCM application definition can use the DCM Update Application Definition panel to configure which cipher suites are supported by the application. If the DCM value includes a cipher suite disabled by QSSLCSL, that cipher suite value will silently be discarded by System SSL/TLS.

For IBM HTTP Server for i, the cipher suite version cannot be controlled by the DCM application ID.

IBM i Virtual Private Networking

The VPN key manager uses two distinct phases in its implementation. IKE phase 1 establishes the keys that protect the messages that flow in the subsequent phase 2 negotiations. The Internet Key Exchange (IKE) policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations. A data policy defines what level of authentication or encryption protects data as it flows through the VPN. The communicating systems agree on these attributes during the IKE protocol phase 2 negotiations.

The Sweet 32 vulnerability affects VPN connection configurations where the data policy is configured to use the 3DES encryption algorithm. There are two options to mitigate this configuration.
1. Modify the data policy to use AES instead of Triple DES (3DES). Consider changing the IKE policy to use AES if R710 or newer.
2. Set the attribute lifesize for the data policy to less than 32GB.

How to replace 3DES with AES in data policy:
The Triple DES (3DES) encryption algorithms should be replaced with an AES algorithm in existing data policy configurations. The default IBM® Universal Connection VPN configuration is a configuration that uses 3DES for encryption in the IKE policy and the data policy.
To check if a VPN data policy is using 3DES and change the encryption algorithm, follow these steps:
1. In IBM Navigator for i, expand Network > IP Policies > Virtual Private Networking and click IP Security Policies.
2. Right-click Data Policies and select Open.
3. Right-click on the data policy you want to check and select Properties.
4. Click on the Proposals tab.
5. Select any of the data protection proposals that are using the ESP protocol and click Edit.
6. Click on the Transforms tab.
7. Select any transforms from the list that use the ESP protocol and click Edit.
8. If the Encryption algorithm has the value 3DES, your VPN configuration is affected by this security vulnerability.
9. To change the encryption algorithm, select AES from the Encryption algorithm drop-down menu, and click OK.

How to change the lifesize attribute in a data policy:
VPN attributes data policy key lifetime and/or lifesize control how frequently encryption keys are negotiated. Phase 1 negotiations are negotiated once a day, while phase 2 negotiations are refreshed every 60 minutes or as often as every five minutes. Phase 2 negotiations can also be refreshed based on size limits. Setting a data size limit smaller than 32GB results in new encryption keys being generated and used thereby mitigating Sweet 32.
To change the value of the data policy key lifetime or lifesize, follow these steps:
1. In IBM Navigator for i, expand Network > IP Policies > Virtual Private Networking and click IP Security Policies.
2. Right-click Data Policies and select Open.
3. Right-click on the data policy you want to check and select Properties.
4. Click on the Proposals tab.
5. Select any of the data protection proposals that are using the ESP protocol and click Edit.
6. Click on the General tab.
7. Set the key lifetime in the Expire after field. The default is 1 hour.
8. Set the key lifesize in the Expire at size limit field. The default is no size limit.

How to replace 3DES with AES in IKE policy:
<AES is only available in R710 and newer releases>
The amount of data encrypted with the IKE policy 3DES key is under 32GB making its replacement optional. To check if VPN IKE policy is using 3DES and change the encryption algorithm, follow these steps:
1. In IBM Navigator for i, expand Network > IP Policies > Virtual Private Networking and click IP Security Policies.
2. Right-click Internet Key Exchange Policies and select Open.
3. Right-click on the IKE policy you want to check and select Properties.
4. Click on the Transforms tab.
5. If any of the transforms in the list has the value 3DES in the Encryption Algorithm column, your VPN configuration is affected by this security vulnerability.
6. To change the encryption algorithm, select a transform from the list that uses 3DES and click Edit.
7. Select AES-CBC from the Encryption algorithm drop-down menu, and click OK.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Related Information

Acknowledgement

None

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.